Legal
Privacy Policy
Your data powers your marketing. Not ours. This policy explains exactly what we collect, why we collect it, and how we protect it.
Last updated: 27 March 2026
Your data powers your marketing — not ours. We never sell it. You can take it with you anytime.
That's our privacy promise, in full.
Information we collect
Information you provide
When you create an account, we collect your name, email address, and password (hashed, never stored in plaintext). As you use Cleo, you provide business information, marketing content, brand assets, documents, and strategic preferences. This is the data that makes Cleo useful to you.
Information from integrations
When you connect third-party services (Shopify, Meta Ads, Google Analytics, etc.), we access only the data you explicitly authorise through OAuth. We request the minimum scopes needed for each integration. For example, we request read-only access to your Shopify products, orders, and customers; we never modify your store data unless you explicitly ask Cleo to take an action.
Usage data
We collect anonymised usage data to improve the platform: pages visited, features used, and performance metrics. We use Sentry for error tracking and Vercel Analytics for web performance. We do not track you across other websites.
How we use your information
- Deliver the service. Your business data, documents, and integrations power Cleo's AI-driven marketing recommendations, content creation, campaign management, and analytics.
- Personalise your experience. Cleo learns your brand voice, strategic preferences, and business context to give increasingly relevant advice.
- Improve the platform. Aggregated, anonymised usage patterns help us identify bugs, improve features, and build what matters most.
- Communicate with you. We send transactional emails (password resets, connection alerts) and occasional product updates. You can opt out of non-essential emails at any time.
- Ensure security. We monitor for suspicious activity, enforce rate limits, and log authentication events to protect your account.
We do not sell your data. We do not share your data with advertisers. We do not use your data to train general-purpose AI models.
AI and your data
Cleo uses AI models from Anthropic, Google, and OpenAI to power conversations, content generation, image creation, video production, and strategic analysis. When you interact with Cleo, relevant context from your documents and business profile is sent to these providers to generate responses.
What we send to AI providers
- Your conversation messages and relevant document excerpts (typically 4,000–6,000 tokens of context per request)
- Business profile summaries and strategic preferences
- Content you ask Cleo to create or review
- Brand assets and product images for visual generation tasks
What we do not send
- Raw integration tokens or API keys
- Full customer lists or personally identifiable customer data
- Payment or billing information
Google API data and AI/ML training
Cleo accesses Google user data through Google Analytics, Google Search Console, and Google Ads APIs. This data is used exclusively to provide you with marketing intelligence, performance analysis, and campaign management features within the Cleo platform.
Cleo does not use Google API data to develop, improve, or train generalised or non-generalised artificial intelligence or machine learning models. This applies to all data obtained through Google APIs, including analytics data, search performance data, and advertising data.
When Google API data is included as context in AI-generated responses (for example, when Cleo analyses your website traffic trends or ad performance), it is sent to AI providers solely to generate a response for you in that session. The data is not stored by the AI provider, not used for model training, and not accessible to other users.
AI provider commitments
Cleo uses AI APIs from Anthropic, Google, and OpenAI under their respective data processing terms. All three providers contractually commit that data submitted through their APIs is:
- Not used to train, improve, or fine-tune their general-purpose models
- Not stored beyond the duration needed to generate a response (typically seconds)
- Not accessible to other customers or used for any purpose other than serving your request
Your business data remains yours — it is processed to serve you, never to train AI models. This applies to all data sources, including data obtained through Google APIs.
Third-party integrations
Cleo connects to external services at your direction. Each integration uses OAuth or API keys, and we request only the permissions necessary for the features you use.
| Service | Data accessed | Purpose |
|---|---|---|
| Shopify | Products, orders, customers, analytics (read-only) | E-commerce intelligence and marketing recommendations |
| Meta (Facebook/Instagram) | Ad accounts, campaigns, page engagement | Ad management and social publishing |
| Google Analytics | Traffic, conversions, audience data (read-only) | Performance analysis and recommendations |
| Google Search Console | Search queries, rankings, indexing (read-only) | SEO analysis and keyword tracking |
| Google Ads | Campaigns, ad groups, performance metrics, budgets | Search, Display, and Performance Max campaign management |
| Stripe | Subscription status, payment events | Billing and subscription management |
| Resend | Email delivery and engagement metrics | Email marketing campaigns |
You can disconnect any integration at any time from the Channels page. Disconnecting immediately revokes our access. Cached data from that integration is deleted within 24 hours.
Data storage and security
- Infrastructure. Your data is stored on Supabase (PostgreSQL) with row-level security policies that isolate each organisation's data. The application is hosted on Vercel.
- Encryption at rest. All data is encrypted at rest using AES-256. Integration OAuth tokens receive an additional layer of application-level encryption (AES-256-GCM) before storage.
- Encryption in transit. All connections use TLS 1.2 or higher. We enforce HTTPS with HSTS preloading.
- Access control. Every database query is scoped to your organisation via row-level security. Server-side authentication is verified on every request.
- Monitoring. We use Sentry for error tracking and structured logging for security events. All authentication events, data access patterns, and API calls are logged for audit purposes.
Security and incident response
We take data security seriously and actively monitor our systems for unusual activity, unauthorised access attempts, and potential vulnerabilities. Our security practices include:
- Continuous monitoring. Automated error tracking, structured security logging, and real-time alerting on authentication anomalies and suspicious API patterns.
- Access logging. All access to customer data is logged with timestamps, user identity, and action taken for audit purposes.
- Incident response. In the event of a security incident, we act immediately to contain, investigate, and resolve the issue. We notify affected users within 72 hours with a clear description of what happened, what data was affected, and what steps we are taking to prevent recurrence, as required by GDPR and the Australian Privacy Act.
- Vulnerability management. We keep all dependencies up to date and address security vulnerabilities as a priority. Critical patches are deployed within 24 hours of discovery.
Data retention
We retain your data for as long as your account is active. Conversation history is summarised periodically to maintain context without storing every message indefinitely.
When you delete your account, we permanently remove all your data within 30 days, including: documents, conversations, brand assets, integration data, analytics, and contact lists. Anonymised, aggregated usage statistics may be retained.
You can request immediate deletion at any time by contacting privacy@cleoos.io, or by using the data deletion page at /deletion.
Your rights
Depending on your jurisdiction, you have the right to:
- Access all data we hold about you and your organisation
- Export your data in JSON or CSV format from Settings at any time
- Correct inaccurate information in your profile or documents
- Delete your account and all associated data
- Restrict processing of your data in certain circumstances
- Object to processing based on legitimate interests
- Portability of your data to another service
To exercise any of these rights, use the data export and deletion features in Settings, or contact us at privacy@cleoos.io. We respond to all requests within 30 days.
Children's privacy
Cleo is a business tool designed for professionals. We do not knowingly collect data from anyone under the age of 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
International transfers
Cleo's infrastructure spans multiple regions. Your data may be processed in:
- Australia — Primary database (Supabase)
- United States — Application hosting (Vercel), AI model inference (Anthropic, Google, OpenAI)
Where data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including standard contractual clauses where required by GDPR.
Changes to this policy
We may update this policy to reflect changes in our practices or for legal reasons. Material changes will be communicated via email and an in-app notification at least 14 days before they take effect. Continued use of Cleo after changes constitutes acceptance.
Contact us
For privacy-related questions, data requests, or concerns: